This question has to have been asked (or alluded to) at some point in the history of this virus-conscious community. But none of my searches turned up any such threads, so I am going to take the liberty of starting two threads in one day. #TopicHog
OK, I am really not a programmer, and I may ask what seem like very stupid questions, make some very ignorant assumptions... Please bear with me.
Is it possible for a very skilled programmer to break open (decompile?) an executable-install file and remove malware? And then recompile the whole mess of code and have it still function properly... The question is this: CAN YOU CLEAN A DIRTY INSTALL FILE AND SALVAGE IT, SO THAT YOUR FRIEND CAN HAVE A CLEAN INSTALL?
I have provided the following conditions to accompany my question:
- The malware has been previously identified and successfully thwarted. (i.e., you have loaded the exe file onto your machine; your machine became infected, but you isolated the threat and identified it as a common browser hijacker. You also have logs of its system-level activities from point of installation to the point of eradicatifon.)
- The malware has no inherently destructive capabilities. (i.e., it is not a wipeware or anything aggressively malicious, just a predictable browser hijacker or toolbar bug.)
- The malware does not otherwise interfere with or compromise the integrity of the desired software. (i.e., the .exe has no apparent problems aside from the fact that your Chrome browser has become suddenly compromised. The desired software appears to be intact and function normally -- from which we can infer that its code has not been disturbed)
- However, no mal/adware was able to be detected on the .exe file upon preemtive scan by several reputable anti-malware applications.(i.e., the bug has itself very well hidden in the install file. Even though it is fairly easy to detect kill [with the right weapons] once it is out, it seems to have been clevery embedded in the .exe file containing the desired software.)
Did that make sense? No?
OK, Hypothetical Story Time!
Jim is a programmer who decides he wants a particular version of software called Goodware v7.x. Goodware is great program but it is a bit esoteric, is made in Central Asia somewhere, and is only available from third-party download sites. For this reason, Jim is a little worried. (But not too worried because Jim is a skilled hacker who pwns any malicious digibyte that dare step to him.)
Not terribly worried, Jim scans the Goodware install file with several anti-malware applications: MonkeyVirus, AlphaVirus, and MileyVirus -- all come up as "No threats detected", so Jim installs Goodware .exe on his machine.
Once Goodware is installed and Jim has used the software to do a few good things to his hard drive, he goes to his Chrome browser to check his email and BAM! He realizes that his Chrome browser has been hijacked by a mal that has set his homepage to Badware.tk.
OH NO! What does Jim do?
Well, Jim looks over his logs, peruses some keyword searches for Badware.tk on his phone, deletes a few system files and registry entries, executes a few line comands, runs AlphaVirus again, unin/reinstalls his Chrome browser, restarts his machine, runs Goodware (which still works perfectly, sans virus), confirms that the malware has been eradicated, and *poof*, it's all fixed (because Jim knows what he is doing.)
But Jim wants to give a copy of Goodware to his boyfriend, Thomas. Thomas works on custom cars for a living, is not a computer expert, and probably wouldn't know what to do if Badware attacked his five-year-old computer.
Since Goodware is fairly hard to come by, and this bug seemed easy enough to kill, Hacker Jim wonders if it might be possible to actually extract the Badware from the executable file before giving it to Thomas.
My QUESTION redux:
Would it really be worth for Jim the trouble of trying to fish the Badware out of the Goodware install file?
What if Jim was fully aware that it would be much safer and probably faster to just go find another copy of Goodware from a different host, but he is now curious and obsessed with this idea: 'COULD I POSSIBLY PURGE THE INSTALL FILE MANUALLY?'
The point I am getting at is this: If someone had some skills and was really obsessed with the process, no matter how impracticle it might be, would it even be feasibly possible to remove a known threat from a common-format installation file before transmitting it to a less savvy friend?
(Maybe one of these framings makes some sense?... Hopefully.)
This relates indirectly to my earlier post suggesting the adoption of a clean installation of Irfanview on the Bleeping downloads section.
I will hog no more topics today. Thank you for reading.